Delegates at the most recent SC Media UK Roundtable held in Edinburgh last week covered insider threats in the finance sector and learned how the biggest cyber-criminal in the UK came from Scotland.
For our distinguished guest speaker it was almost a point of pride – though the fraudster's capture and conviction certainly added to the satisfaction.
Eighteen distinguished guests joined the discussion, hosted by Zonefox at the National Museum of Scotland in Edinburgh and moderated by SC's editor-in-chief Tony Morbin.
In his presentation, guest speaker Bill Buchanan, professor of computing at Edinburgh Napier University, told delegates about the case of a Glasgow man, convicted in 2016 of stealing £113 million from customers of Lloyd's and RBS banks.
Starting with information purchased from bank insiders, Feezan Hameed, then aged 23, would call the victims and tell them he was from the bank's fraud department and that their accounts were being attacked.
He would then ask for their login details and while he kept them busy on the phone, his associates would withdraw money and begin laundering it through a network of money mules.
His attacks weren't technically sophisticated, and to cover his tracks he didn't use TOR or VPNs but rather burner mobile phones and mobile dongles.
In one case, a law firm lost over £2 million and in another case a company lost £750,000. Law firms are particularly vulnerable as they may be holding large amounts of client money temporarily to facilitate business deals and house sales.
Apart from the obvious security lessons to be learned about trust, verification and two-factor authentication, it also illustrates the danger of the insider threat.
There are many methods for controlling the insider threat including strict controls on rights and the use of access logs, honeypots and tripwires. One of the biggest insider threats, Buchanan said, is the system administrator and in one project he worked on, this was the first person they kicked off the system.
However, his current work is focused on creating what he calls a "states model", a complete model of each member of staff and their typical patterns of activity.
One can try to deduce someone's state of mind and then predict their risk profile based against a “typical” baseline, but this doesn't entirely work because everyone has different moods and patterns of activity. On the one hand, you might consider that someone who is disengaged and has high absenteeism would be a threat, and yet the classic fraudster is the person who comes in early, works late and rarely takes a holiday because these people don't want anyone else to look at their work.
Don't trust anyone
It has been suggested that the country needs more laws to fight cyber-crime, but John Cuddihy, adviser at Globsec and former Head of Organised Crime and Counterterrorism at Police Scotland, noted how the anti-bribery act already criminalises insider threats – hence there is a raft of legislation out there.
Instead Cuddihy said, “It's about knowing and understanding what's available but also it's about compliance. How many people who are doing checks and balances within your organisation actually ensure there is compliance ongoing? Because they trust everybody. For me as a 30 years organised crime and terrorism police officer, I was brought up in a culture of distrust – I didn't trust anybody!”
He said organisational behaviour can weaken security culture. “From a human resource perspective, [monitoring staff] is seen as spying,” he said. Instead you need to ask, “How does organisational behaviour influence the health of your company?”
He also made the point that most fraud is conducted by people with little or no technical knowledge, citing a US fraud study which found that one percent of all fraud in America is conducted by people who are considered to be sophisticated, with knowledge of technology, while “78 percent is [committed] by people who don't know the difference between a gigabyte and a dog bite”.
Prof Bill Buchanan
Ian Davidson, IT manager at FreeAgent, made the point that in the past it was in the interests of banks to hide problems. Now it's vital to discuss problems with their peers, to share information, but they don't necessarily want to do this through formal channels.
“Banks actually talk to each other now,” he said. “They are quite good at it. Used to be that you would keep all your vulnerabilities secret – it was seen as a competitive advantage – but now because of the reputation of the banking industry, we are pulling together because if one bank gets hit, it knocks us all down.”
“There are the formal routes but there is also the trust circles,” he said. “I meet with my peers at the other large banks very much – if there's an incident, we get down the pub, have a quick chat, ‘you need to have a look at this'. Otherwise, we can't go through formal channels fast enough.”
Mandy Haeburn-Little, CEO of the Scottish Business Resilience Centre, said it's easy to “underestimate how important reputation is to business”.
“Business is fundamentally so anxious about coming forward because immediately they lose the confidence of business customers, and it loses the investors which is a really big driver.”
She has chaired two fora recently in the wake of WannaCry where private companies admitted they were affected. However, they don't want to report it to the police. “Police Scotland will verify this, but there was not one private sector business attack reported to them, and I think that is symptomatic of what we are saying, that we need to try to create an environment which is balanced by the legal implications of this, where it is all right for business to say, ‘We really need more information, we need more help and we need to be able to discuss this in a trusted way.'”
Laura Irvine, partner at BTO Solicitors, said that GDPR will have an impact on reporting, but there may be unintended consequences of the requirement that businesses report breaches within 72 hours to their country's data protection authority.
“The obligation is high and failure to do so can attract a fine of up to €10 million or two percent of global turnover,” she said. This is the fine for failure to report, and should not be confused with the fines of up to four percent of global turnover for failures which lead to a data breach.
“However, the missing piece is how will the ICO actually cope when organisations do start to report data breaches and what action are they going to take, what resources are they going to have available to them and how will they carry out all these investigations,” she said.
However, reporting could help take away the stigma of breaches, she suggested. “In the United States, where certain states have had an obligation to report for a long time – it's very consumer driven in America – it has levelled the playing field in terms of reputation to some extent, and that may happen here.”
In the current environment in which organisations are encouraged but not required to report breaches, public sector organisations tend to report while private companies do not – unless they are found out. This has led to the perception that public sector organisations are worse at information security than private companies – “I think we all know that this is not the case!” she said.
Matt Little, CTO at Zonefox, asked whether the ICO would prefer organisations to report within 72 hours even if they don't yet have the full details of the breach.
Irvine replied, “The ICO certainly initially will not expect sophisticated reporting, even if that is the aspiration within the legislation. They wouldn't be able to cope with that.”
Little followed up by saying that many organisations he spoke to “struggled to make the business case for the processes, teams and tools to build their GDPR response capability, so is this the business case?”
Irvine replied that according to what ICO representatives have told her, the ICO will expect organisations to be ready in May 2018. “There is no room for ‘getting ready for this' – we've already had two years,” she said. “If they see that you have tried to comply and something has gone wrong or they disagree with the way that you have interpreted the regulation, if they see that you have made the effort and you have thought about it, then that will be taken into account in enforcement action.”
Staff recruitment is a major headache when dealing with the insider threat, especially if your organisation is growing quickly.
John Young, head of infosec at the People's Postcode Lottery, said his organisation has grown from 50 to 300 staff over a few years. He said that building a security culture is the most important element in that process.
“The board of directors has taken note [of security],” he said, “and it's always something that's been inherent in the organisation… Making sure that security is built in to everything you do [is important]. I speak to every single member of staff who comes into the organisation, and I say to them I don't do this alone. I have to have an army of people who are engaged and aware and also feel empowered.”
One of the problems of empowering staff is reconciling that with the principle of least privilege access to network assets.
“We only give people the permission that they absolutely need to do their jobs,” he said, adding that this was part of their PCI compliance activities.
He also said he “very much buys into” the ISO 27000 series lifecycle.
Dr Keith Nicholson
Rory Alsop, head of information security at Risk Oversight, brought the discussion back to GDPR, saying that it was proving to be a useful tool for fine tuning security metrics.
“These are the metrics, we're getting a bit better here, but GDPR will take us into a place where the thresholds are bumped up a bit, so we can work toward improving those controls,” Alsop said.
The banks he works with run scenarios about the threats they face, and the three most likely scenarios include the insider threat – which ranks highly.
“The bigger threats include insider such as standalone – and that's combatted by absolute least privileges,” he said, asking, “At the extreme end, are pernicious states trying to get people on premises? I can absolutely guarantee it for any large corporate. Are they trying to blackmail or compromise staff? Sure – that's where we need to focus on at that end because at that point they have a lot of intelligence behind them so people can be coerced into doing things.”
The question of how engaged the board is around the cyber-security threat was brought up by Alex Lindl, business IS manager at Standard Life, who said that the Financial Conduct Authority (FCA) recently circulated a questionnaire about this.
Members of his board had recently asked questions about the insider threat, proving that they are absorbing the messages about this. “Putting across the business case is so much easier because they are coming to us and asking ‘what are you doing?' and we can say we are doing X, Y and Z, and for this middle bit – where we need to profile people – we need this tool and it is much easier to sell that requirement to them.”
The board game
Dr Keith Nicholson, chair of Cyber Security Scotland, sits on several boards where, he said, he is often the only one with cyber-security knowledge. He said it's a real challenge sometimes.
“If you talk to most boards about cyber-security, you either induce boredom or fear – neither are very helpful!” he said. “But if you start to talk about risk, they feel they understand it even if they don't really, and that's the level to get some engagement.”
Standards are all very well and good, he said, but they don't work if there aren't internal control mechanisms. “Boards need to realise that simply having certification or alignment of policies with standards in itself is no longer sufficient. There needs to be much greater understanding. It needs to have board representation and that might actually be the HR director because the biggest threat is behaviours.”
Security is an ecosystem, said Jamie Graves, CEO at Zonefox, and you have to have many things in place to prevent people from doing things they shouldn't do. “Is it an HR process, a security process?” he said. “You need that broad connection between different areas but it's about linking them together and making sure they work properly across departments as well as that silo of tech and security.”
Callum Logan, head of risk at Hampden Bank, said that cyber-security is at the top of his organisation's risk register. “I don't see that changing anytime soon, and of course part of cyber-security is the insider threat. It has focussed the board, but it is a struggle because everyone acknowledges that you could spend millions of pounds on protection but someone could still click on the wrong link or someone could still be influenced by someone external so you are never going to be fully protected.”
Nigel Harrison, acting chief operating officer at Cyber Security Challenge UK, believes that it has to be a multi-disciplinary approach with HR, legal, technical and others. “I think that is becoming more understood,” he said.
Mandy Haeburn-Little said there was a tendency to rely on the police to deal with cyber-crime incidents when the dependency could almost be the other way around. “There is an expectation that law enforcement will be able to jump in on everything, but actually the financial sector are the ones that have the live intelligence running all the time,” she said, adding that this could also help to make the cyber-security job more interesting as a career prospect for young people.
Privacy v security
One of the great issues of cyber-security is privacy and the question was put to the delegates as to how employee privacy and company security could be reconciled.
Matt Little said that with web firewalls, behaviour and internet access is already being examined. “In the next step, if we are worried about data and data loss, we are going to have to start looking at the sort of data that people access, how they access it and – in an appropriate way that is communicated to people so they are aware that this is happening – we need to start looking at the data itself and how people access that.”
He said machine learning tools can be used to look for anomalies and data access analysis would be an extension of that.
Rory Alsop suggested that to encourage staff to be innovative, you have to grant them a certain level of trust. “We worked with an organisation that communicated to their employees that you are allowed to do all of these things in your organisation but trust comes with, I guess, a balance cost which is that we monitor it. We could lock everything down, but that would make your lives miserable so we are going to open things up as much as we can. But it will be monitored.”
Richard Evans, head of technology and development at Nucleus Financial, said his organisation tries to be very open as well, but one has to remember that the GDPR applies to staff as well as customers.
“You have to be very explicit about what data you are collecting, how you want to use that. And that's a great thing – you can explain why you are doing this, the problems that it's trying to solve, what outcomes it gets and how it supports you doing things,” Evans said.
“It's very easy for someone to feel they are being constrained by the security rules and spin up a whole new IT department in Amazon, but if they actually understand what we are doing and what we are trying to achieve, they will stop and think and stop some of that accidental data loss,” he said.
John Cuddihy said that language is important and that it should be “inclusive but not intrusive”. Echoing Dr Keith Nicholson's comments, he said the HR department is the right place for this. “They are the best enablers, they are trained in human resource management,” he said.
He also encouraged people to work with staff associations and unions and explain the aims and objectives of cyber-security. “If you are inclusive within your approach, that employee will be more receptive to the needs of the organisation… identify yourself as a responsible employer seeking to protect their vulnerability from being exploited.”
Mark McLaughlin, information security manager at Aegon, said that sharing threat information was “absolutely vital to this”.
In a previous role, McLaughlin worked in online betting. “The bookies just hated talking to each other,” he said, “Eventually when they did, the benefits from knowing what was going on, knowing the threat and sharing that information made things so much easier.”
Mags McHardy, IT helpdesk technician at FreeAgent, said, “So much comes down to, if everyone engages from the bottom up, throughout entire businesses of all different types, if everyone starts to learn about the threats that are there and we all take responsibility for it, then it is going to come up through all the businesses.”
Ian Davidson said his organisation is growing and adding new technical staff. “Our software engineers and technically sophisticated people we have coming into the company, they believe encryption is on their side and they're masters of their own machine, and that's not the best model really.”
Alex Lindl said that dealing with the insider issue is about getting people to make the right choices. “If we can help our people make the right decisions, then that's as close to being fixed as we are going to get,” he said.
Laura Irvine reiterated that GDPR is a great opportunity to explain how an organisation is collecting data about staff and what it is doing with that information, something which she said will engender trust.
Stephen Hardie, CISO at Sainsbury's Bank, agreed, saying it's about being a responsible employer and “actually protecting our colleagues” from making mistakes and being exploited by those outside the organisation.
Jamie Graves apologised for resorting to cliches but said it's true that there is no such thing as a “silver bullet”.
“It's clear that it's not just one thing, it's lots of things combined together. It's existing processes, it's existing technology and people. It's heartening to see that. We are all seeing insider threat as just another risk, not an exponentially problematic one but one that can be dealt with under existing practices. But it's a case of the communications making sure the right pieces are stuck together,” he said.